RISE Ultimate Project Manager and CRM Stored HTML Injection Vulnerability

A stored HTML injection vulnerability has been identified in RISE Ultimate Project Manager & CRM versions prior to 3.9.4. This vulnerability allows authenticated users to inject arbitrary HTML into invoices, messages, and client notes. The injected HTML is rendered in emails, PDFs, and messaging modules, enabling phishing attacks, credential theft, and business email compromise. The issue is exacerbated by automated recurring invoices and messages, which can spread malicious content to multiple recipients.

Impact

Exploitation of this vulnerability could lead to large-scale phishing campaigns, business email compromise, and distribution of malware via email, PDF, or messaging channels.

Reproduction

To reproduce this vulnerability, an authenticated user with project manager privileges can inject HTML payloads into invoice line items or the messaging module. After saving the record, the injected HTML will be rendered in client-facing communications, including emails, PDFs, and chat messages. This vulnerability can also be exploited by setting up recurring invoices or messages, which will automatically distribute the malicious content to multiple recipients.

Remediation

Users are advised to upgrade to RISE CRM version 3.9.4 or later.